Uncovering security issues in the latest 5G standards

Adam Greenhill from Security Compass.
(Image credit: Security Compass.)

As 5G becomes more ubiquitous across the globe, the security community is given more of a chance to review and understand the potential security concerns associated with implementing the standard. These security concerns fall into two categories: inherited flaws and out-of-specification issues.

Inherited flaws

Bloomberg reports that it will cost hundreds of billions of dollars to upgrade from 4G/LTE to 5G. This is a massive cost for any company or nation to bear, requiring many companies to slowly phase in the next generation of cellular technology over the next decade. Because these partial 5G networks rely heavily on pre-existing 4G/LTE technology, they will also absorb their vulnerabilities. 

Because of how fast technology moves forward, it can be difficult even for tech enthusiasts to keep up to date, let alone non-technical people. To ensure that everyone has sufficient time to upgrade, new standards are typically made to support older ones as well. However, in allowing support for older generations, downgrade attacks can potentially be performed. 

Downgrade attacks trick users into leveraging the insecure and out-of-date versions of a protocol. These types of attacks can be found everywhere. For instance, the Transport Layer Security (TLS) protocol that a browser leverages to securely surf the internet. Even the latest TLS version published in 2018 has been found to be vulnerable to downgrade attacks. But, there’s an easy fix. A web browser can be configured to limit access to websites that leverage the latest, most secure protocols, disabling anything deemed insecure. With those protocols disabled, if someone attempts a downgrade attack against, the browser will simply refuse.

"The Electronic Frontier Foundation (EFF) are actively lobbying tech giants, namely Apple, Samsung, and Google, to allow users the ability to disable insecure cellular standards."

Adam Greenhill, Security Compass.

Cellular devices don’t have the same flexibility that web browsers do. When a mobile device connects to a cellular network, the user has no control over the process. There’s no setting in an iPhone or a Pixel that can be configured to prevent a phone from connecting to out of date and insecure cellular networks (like 2G). The Electronic Frontier Foundation (EFF) are actively lobbying tech giants, namely Apple, Samsung, and Google, to allow users the ability to disable insecure cellular standards within their devices. Until these changes are implemented, adversaries have the potential to side-step all the security controls implemented by 5G by performing downgrade attacks.

The current 5G standards define very explicit details, but there’s a number of areas of 5G that are deemed out-of-scope. It’s these areas that companies and network operators have to figure out on their own and therefore where there is the highest probability of being wrong. This includes security problems with the cloud, web application vulnerabilities, and privacy concerns.

Cloud computing vulnerabilities

To enable the flexibility of virtualization and network slicing, many companies will push their 5G environments into the cloud. Empowering 5G with cloud will result in many benefits. However, these benefits come at a cost. Cloud misconfigurations are frequently cited in the news, such as storage services open for anyone to browse, or management interfaces exposed with default credentials. Telecom companies will need to ensure their cloud environments are completely secure before going live.

Another consideration is attacks from inside the 5G network. Unlike previous generations of cellular standards, 5G will be required to execute potentially untrusted third-party code within its environment. With multi-access edge computing, companies will be able to run applications in edge locations all around the world. 

Web application issues 

With 4G/LTE, rather than having separate protocols for voice, text messages, and data, all communications are treated as Internet Protocol (IP) packets. On top of IP, custom telecommunications protocols were built. 5G eliminates these custom protocols and instead leverages HTTP for internal network communication.

The adoption of such a well-known standard will enable flexibility in the future for upgrading or changing components. However, it will also lower the bar considerably from a security perspective, allowing adversaries to attack core infrastructure. Web related vulnerabilities are thoroughly documented by organizations such as OWASP and can allow anyone to understand and attack the next generation of wireless technology. 

Complications managing user privacy

In recent years, end-user privacy has become a focus around the world. Researchers are examining the controls within 5G, looking to identify improvements to the standard before the design is finalized. In the whitepaper “5G Privacy Scenarios and Solutions”, researchers identified that one of the main privacy concerns relates to responsibility ambiguity.

"5G networks do not stop at a country’s border since radio waves have no comprehension of political jurisdictions."

Adam Greenhill, Security Compass.

Mobile network operators will need to work with cloud providers and third-party developers to define who has what responsibilities in terms of user privacy, and how each player will be held responsible. One might suspect that current privacy regulations help provide assurance here. But 5G networks do not stop at a country’s border since radio waves have no comprehension of political jurisdictions. So, it is entirely possible for overlapping laws to conflict. The situation becomes even more convoluted when an incident occurs, because it’s not possible to predict which law(s) will take precedence when a victim, an attacker, and the service provider are from different locations.

And all of this is assuming that a nation state has implemented 5G with industry best practices. To ensure confidentiality and integrity of over-the-air communication, 5G leverages the New Radio Encryption Algorithm (NEA) and New Radio Integrity Algorithm (NIA) respectively. Both algorithms support the highly secure Advanced Encryption Standard (AES). 

As 5G becomes ubiquitous, lawmakers around the world will need to devise adequate policies to ensure there are no gaps in protecting end-user data.

Conclusion

The emergence of the fifth generation of cellular technology will revolutionize the world and facilitate unprecedented use of internet-connected devices. As it stands, the security of the protocol is not only with the researchers developing the standard, but also the law makers developing policies that pertain to 5G. Entities involved in deploying the next generation of cellular technologies need to ensure they are considering security early in the planning stages, ensure that any third party code running at the network edge is safe and isolated from the rest of the network, and that their overall cloud configurations are secure and adhering to best practices. Because at the end of the day, the security of 5G rests in the hands of the entities implementing it.

Adam Greenhill

Adam Greenhill is Principal Consultant at Security Compass. As a Principal Consultant at Security Compass, Greenhill regularly applies his expertise to a diverse array of network, web, and mobile security assessments. His research in IoT, 5G, and other emerging technologies continues to contribute to a world in which we can all trust technology.